All about File Permissions in WordPress
When it comes to the overall security of your WordPress website, File Permissions play an important role, if defined properly as per the requirements of your website functionality.
File permissions basically protect your site’s files and directories from unwarranted exposure to the unauthorized users including hackers. In most cases, file permissions are defined in the starting of deployment & hosting of Website, after that we normally do not change them.
Here, we’ll cover some very pertinent aspects of the File Permissions including what they offer to the system, how they are defined and expert recommendations.
File Permissions
File permissions are access controls on WordPress files and directories which specify who can have access to the files and directly. It is very important to specify the file permissions to keep the WordPress file structure intact and secure.
If all users can modify files and directories, or even just see the content, it can be a big security risk. File permissions determines which user is authorized to perform which actions on a particular file.
File permissions form a crucial part of a resistance strategy. On public domain, only limited part of your application system is public. The system files, at least, need to be protected from random modification by attackers. Not to mention, securing the right permissions adds to your site’s security and makes you less vulnerable.
Let’s explore the File permissions in details
They look like a three-digit number, or a combination of letters and hyphens if you’re using File Transfer Protocol (FTP Client), or Secure Shell access (SSH) to edit WordPress file permissions.
File Permissions has two sub elements: 1. Types of Permissions and 2. Roles. Both of these elements are interlinked and work together to indicate the applied file permissions on a particular set of files and directories.
Types of permissions
There are 3 types of file permissions in WordPress: Read, Write, and Execute:
| Permission | Description | Numerical | Symbolic |
| Read | User can view the contents of a file or directory in read only mode. | 4 | r |
| Write | User allowed to modify the contents of a file or directory. | 2 | w |
| Execute | User allowed to run script files inside a directory | 1 | x |
| No permission | User has no access to the file or directory | 0 | – |
Roles
Roles basically denotes the ownership over a set of files. It starts with defining who can access the file. There are 3 categories of roles: User, Group, and World.
- User: A user who is an administrator of your website; who has full control over the file or directory.
- Group: A group is a set of users such as editors, subscribers, contributors, authors and other user roles. It is an easy way to grant owner permissions to a collection of users.
- World: Any other user who does not belong to the above two roles.
Decoding permission numbers and symbols
Now that we have a basic familiarity about Type of File Permissions and the roles upon which File Permissions are applicable, the combination of these two may make a little more sense. The user, the group, and the world roles each have to be assigned permissions for each file or directory. You may have noticed that there are 3 sets of symbols like ‘rwx’ or 3-digit numeric values like ‘755’ which sometimes go beyond 0, 1, 2, and 4. By all permutation and combination of above permissions numerical values, following all possible levels of permissions can be assigned:
- 0= No access at all
- 1= Execute
- 2= Write
- 3= (2 + 1) = Write, and execute
- 4= Read
- 5= (4 + 1) = Read, and execute
- 6= (4 + 2) = Read, and write
- 7= (4 + 2 + 1) = Read, write, and execute
Take a look at the illustration below to see how these ownership roles and permission settings combined together to define the permission for a given file or directory.
In the above numeric illustration, the first number denotes file permissions for a user role, the second for the group role, and the third for the world or other role.
For example:
If you see the number ‘7′, you automatically get to know that the ONLY numbers (4, 2, 1) that you can combine to get the value 7. Here, in this case, all three permission numeric values 4, 2 and 1 combined together which makes the number 7 that represents the read, write and execute permissions being assigned to that particular ownership group for a given file or directory.
So, when you see the permission value ‘5′, you should immediately know that the permissions (4+1) i.e., read & execute, have been granted to that particular ownership group for a given file or directory.
Frequently Used Permission Codes
Some of the most frequently used file permission codes are as follows:
| Permission Code | Description |
| 755 | means that the owner can do anything while others can read and execute but may not alter the file. This is ideal for public files. |
| 750 | means owner has full control over the files whereas group role can read and execute the file but cannot make any changes into the files. For all other users, no permission is assigned. |
| 711 | means only owner is allowed to do anything with the file or directories while all others can only execute. |
| 700 | means only owner is allowed to do anything with the file or directories while all others have no access. This permission mostly used for private directories and files at the backend |
| 644 | means owner can read and write while others can read only |
| 600 | means that owner can read and write while all other users have no access. This is commonly used for private files. |
| 444 | means that everyone can read the files. |
Ways to configure WordPress File Permissions
- Using FTP: WordPress permissions can be set using FTP through the popular FileZilla client. You can start by successfully establishing a connection with your server. Then, navigate to the file or directory where you want to configure the WordPress permissions and right-click on it, and select the File permissions option as follows:
- Using cPanel: cPanel is one of the most widely used hosting control panel software and it is equally easy to use. Every hosting provider is a bit different so if you want to fix WordPress file permissions through cPanel, it is recommended to go through the documentation information provided by your hosting provider before starting any changes in the system. After successfully login into the cPanel file manager, you can click Change Permission to bring up a popup box that shows a number of checkboxes. From here, you simply have to check – uncheck the desired permissions for the users and groups in terms of their relation to each directory & files.
- Using Plugins: If you aren’t comfortable with above two options i.e., cPanel, FTP, you can explore popular plugins like ‘All in One WP Security’ or ‘WP Hardening plugin’ to change certain WordPress file permissions.
Recommended File Permissions
At the root folder of your WordPress site, there are a number of different folders & files that require proper permissions for their access to the intended users only. As per WordPress community, following combination of permissions are widely recommended and used:
| Relative Path | Recommendation |
| / | 755 |
| wp-includes | 755 |
| wp-admin | 755 |
| wp-admin/js | 755 |
| wp-content | 755 |
| wp-content/themes | 755 |
| wp-content/plugins | 755 |
| wp-content/uploads | 755 |
| wp-config.php | 444 |
| .htaccess | 444 |
Overall Gist: WordPress File Permissions
By now you know that WordPress file permissions are important for securing your site. With the right combination of file permissions, you can protect your website from probable attacks caused by unauthorized edits to files. While setting proper file permissions isn’t the only update that ensure the security of your site, it’s certainly a crucial important step that should definitely be considered.
You can always consult with a WordPromise expert to talk more about this subject. Contact us today!
